A Robust ESP8266 RFID Access Control System

By now we’ve seen plenty of projects that use an ESP8266 as a form of rudimentary access control: tap a button on your smartphone, and the door to your apartment unlocks. With the power and flexibility of the ESP, it’s a very easy project to pull off with minimal additional hardware. But what about if you want to get a little more serious, and need to support many users?

Rather than reinvent the wheel, you might want to check out the extremely impressive ESP-RFID project. It’s still based on the ESP8266 we all know and love, but it combines the diminutive WiFi-enabled microcontroller with a nice custom PCB and some exceptionally slick software to create a very professional access control system without breaking the bank. As the name implies, the system is geared towards RFID authentication and supports readers such as the MFRC522, PN532 RFID, or RDM6300. Add in a stack of Mifare Classic 1KB cards, and your hackerspace is well on the way to getting a new door control system.

The official hardware for ESP-RFID can be purchased through Tindie with or without an installed ESP-12F module, but as it’s a fully open source project, you’re also free to build your own version if you’d like. In either event, the board allows you to easily connect the ESP up to your RFID reader of choice, as well as door sensors and of course the door locks themselves.

On the software side of things, ESP-RFID should be able to handle about 1000 unique users and their RFID cards before the relatively limited RAM and storage of the ESP catches up with it. But if you’ve got that many people coming and going in your hackerspace, it might be time to update your systems to begin with. Incidentally, the project makes no guarantees about the security of the ESP-RFID code, and says that the system shouldn’t be used for secure locations. That said, you can run ESP-RFID without an Internet connection to reduce your attack surface, at the cost of losing NTP time synchronization.

I am finishing up my ESP32 NFC device with motion detection (for when you exit). You can find kicad files and code on my github: https://github.com/physiii/nfc-lock – I’ll push the blender model there once I run a test print.

I’m sorry, but I get tired of hearing these kinds of phrases: (On a secure door lock): “Not to be used for secure locations”. This is chicken sh** engineering. Stand behind your design. Ferret out problems in your requirements and fix them. It’s just poor engineering if you make a product billed as a solution for something, then say in fine print “by the way, don’t use it for it’s advertised purpose”.

No project like this is ever going to give you a guarantee that it’s suitable for security, because it would take them liable.

Right in the MIT license (which this project uses) it says “The software is privided “as-is”, without warranty of any kind”. Going against that just so some commenter on the internet doesn’t call them a chickenshit doesn’t sound very wise.

A disclaimer is like “Enter at your own risk” it protects the designer if there were an issue and they were to be sued. This is standard practice. I work for an alarm company and we state that are alarms deter theft. It is just a fact of life if some wants to steal from you, they will find a way. Not bad engineering just common sense. The statement is for people who do not have that common sense.

I feel you, when I was started working on this project I did not know much about programming (both frontend and backend), I tried my best to achieve a secure transaction between a reader and a RFID tag, but ultimately I realized that is not possible with the hobby grade (cheap) parts.

The only option is using heavily hardened proprietary tags (and still they are vulnerable to some side-channel attacks).

I really appreciate the reply. I understand where you’re coming from and that you’ve looked into the tech. I realize nothing is bulletproof, and it sounds like you’ve researched the options. In my original gripe, I was referring to projects where it seems the maker wasnt really serious about their work.
Nice job on the project itself. It is what it is, and it sounds like you know well what it’s limits and capabilities are.

I take it the lock on your house can’t be defeated by a skilled lock picker then. Good for you.

Sarcasm aside, that is exactly what you are saying:
Locksmith builds new kind of lock. Locksmith knows it can still be picked, but it’s still better for reasons xyz than the old lock. Locksmith admits honestly “it can be picked. Like any other lock.”
You shout “How DARE he be a a little chicken $hi÷!”
It’s a PROJECT not a PRODUCT. (Even if you can buy some boards on Tindie).

If you want product reviews, spend five minutes on Google and you will find hundreds of digital lock systems/devices far less secure than this one, delivered to your door in 48 hours or less.

That was my point though. How many of those systems have disclaimers telling the user not to use them for their stated purpose? I replied to the creator above buffering my original gripe a little, as it sounds like he really understands what the capabilities of this hardware are. I just don’t like the almost knee-jerk reaction our litigious society has formed in us as creators because we have to worry about being sued for everything. There are those who almost automatically discount the robustness of their work, all for the just-in-case scenario of someone hacking it. But does that fear really let people deliver their best? Does it let me as a user have confidence that they’ve tried their best? No and no.

“I just don’t like the almost knee-jerk reaction our litigious society has formed in us as creators because we have to worry about being sued for everything.”

Don’t blame the makers or hackers, blame the lawyers. If lawyers were not using their profession to analyze and deconstruct everything ever built or said so that they could charge more billable hours then disclaimers and statements to that effect would not be required in this age. In the end those statements need to be made because the majority of us do not have the money to put up to fight someone who is unwilling to think (and rationally analyze a product or situation) but has the money to pay a lawyer, so we end up with phrases and statements that remove general liability from most legal antics.

I hear what you are saying, I really do, but the makers and the hackers are not the ones to get mad at here. They are just trying to CYA because they would rather not loose their house due to someone with more cash than brains and a half decent lawyer.

“But does that fear really let people deliver their best? Does it let me as a user have confidence that they’ve tried their best? No and no.”

First, if stating a disclaimer is going to affect the quality of the project then the maker was never going to deliver their best to begin with. If a maker is going to deliver their best then they will do so with or with out a disclaimer.

Second, if a disclaimer is effecting your evaluation of a project then essentially you are a part of the problem. As i noted above, these types of disclaimers are due to people not being able to accurately evaluate a project on its merits and thus relying on lawyers to make up for their own personal mistakes. In one sentence you have pretty much stated that the disclaimer takes away from your confidence in the project while the statement doesn’t actually affect the quality or substance of the project its self. So essentially you have proven why the disclaimers are necessary in your statement about the disclaimer.

Sorry to destroy how you see the world…. But, as long as there is a transmission, there are ways to compromise it.
And most locks are even worse

If you store some gold and expensive art, this may be not the right solution. If you have a frigging garden shack, storing some tools, this is perfectly fine. If you have some machinery in your makerspace, which only some people should use, this could be perfect. So instead of having some key somewhere you just give cheap badges to those folks.